How Often Should You Really Test Your Incident Response Plan?

In the world of cybersecurity, we are well-aware of the increasing potential impact, and sophistication of, attacks on businesses.

But how often should you validate your Incident Response Plan?

We know the damage a data breach/exfiltration can cause. We even know the best way to prepare for such an attack: complete your Incident Response Plan and train your team with the help of tabletop exercises delivered by an expert facilitator who knows your business.

If it’s your first time conducting a tabletop exercise or your tenth, we must understand that training is a process, not a one-time event. Training as you fight means training with changing terrain and forces in mind, internal and external.

Overall, RedLegg recommends that your Information Security Team with or without executives in tow, completes a tabletop exercise four times a year. Here’s why.

Why you should conduct a facilitated tabletop exercise four times a year.

We found six reasons why your business would benefit from a quarterly, facilitated tabletop exercise:

1. Fresh and on your toes – keep your IR Plan active.

As we handle busy schedules and zero-day attacks, it’s rather easy to let your IR Plan become stagnant. By training through a tabletop exercise, you are actively remembering your IR Plan and keeping it fresh in your team’s mind. An active IR Plan means better “muscle memory” when a breach occurs.

A quarterly tabletop keeps you on your toes with the changes that occur over an entire business year, and your facilitator will help you keep a forward-facing security approach.

2. Your team members change, train your employees and contractors.

People come and go, and your IR Plan should reflect those updates. A quarterly tabletop exercise helps train new employees as well as the veterans who have gone through internal organizational changes. And let’s not forgot those contractors and third-party partners. Your facilitator will be able to help you navigate your changing internal terrain.

Conducting your tabletop exercise four times a year will help your team manage an incident response with the current organization’s structure.

3. Your environment changes, keep your response up to date.

Your business’s environment changes internally and externally, continuously adapting to the risk and threat landscape. With a quarterly tabletop exercise, your response stays up to date with those changes in personnel, valued assets, and vertical risks. The facilitator will be able to identify and reflect those changes in your tabletop exercise.

4. Continuously educate the participants involved in your TTX.

Whether conducted with just your Information Security Team or with executive leadership participation, a quarterly tabletop informs everyone involved, helping to close gaps in knowledge and communication. Tabletop exercises can help keep tabs on current educational and training needs within your organization, focusing on improvement of your cyberdefense weakest areas..

5. Create and build upon your proactive preparedness program.

This point goes hand in hand with the previous. A tabletop conducted more than once a year creates a schedule and internal awareness of a proactive security program within your organization. Tabletop exercises can become the baseline of a preparedness, a starting point in implementing security training for your employees. The facilitator is an expert resource for future security planning.

Essentially, a consistent tabletop shows a consistent focus on security to your employees and clients.

6. Prepare your IT team before getting your company leadership involved.

We don’t want to say this is the most important point, but it is a point that is often overlooked when conducting a tabletop exercise. In our experience, the most effective tabletops are conducted first with the IT and security team then conducted a second time in conjunction with company Leadership.

If the security team doesn’t know the IR Plan, then the tabletop may be quite painful to bear for the executive leadership in attendance. We recommend giving the IT and security team a practice round before demonstrating their expertise to the C-suite. (No one wants to look incompetent in front of the boss.)

Consistent facilitator, more consistent programming.

Don’t plan your quarterly tabletop exercises alone. As the task of conducting a tabletop exercise becomes more frequent, you’ll have the advantage of testing and validating your changing risk posture over the course of the year. In the cyber world, a lot can change in a year!

When conducting a tabletop with a facilitator, you can experience all the benefits and none of the stress of managing the exercise by yourself. Here are just nine of those benefits below:

1. You can draw on external expertise.

While your preconceptions may influence your approach to the tabletop, the expert evaluates your Incident Response Plan with fresh eyes and from a fresh angle. You can now also be part of the exercise, practicing your own incident response responsibilities.

The facilitator is also an experienced professional, able to handle interdepartmental participant groups of various sizes, demonstrating security threats and trends knowledge specific to your vertical. You can be sure your tabletop will be focused and effective.

2. You receive custom developed scenarios.

Instead of developing your own scenarios or using slides you found and modified from the internet, a facilitator gets to know you, your business in the scope of the industry, and your technology. The entire exercise is tailored to your organization and your existing people, processes, and technology.

3. You are guided through the exercise to keep the pace and enable communication.

With a facilitator, your team keeps on pace and is guided through the discussion, avoiding rabbit-hole discussions and staying focused on main activities/objectives. An outside expert is able to command the room and inspire conversations that will benefit your organization and your Incident Response Plan.

4. You realize cost savings – better product with less time spent on your side.

Need we say more? Using your work, or even personal, hours will not yield a better experience or result than a facilitated tabletop exercise. It’s real-life response practice, tailored to your business with applicable and effective action items.

5. The tabletop exercise is tailored to your organization and your team.

No tabletop is one-size fits all. Every organization and team look different depending on the industry and the environment. The exercise will be tailored to your existing team, processes, and technology. When your organization experiences a change in any of these three areas, your exercise will reflect those changes next time around. Tabletops are meant to evolve with the organization and its environment.

6. You gain insights into industry-wide attack/breach trends.

Because a tabletop facilitator’s role is to conduct these exercises across organizations of different shapes and sizes, the facilitator will have insights only known to someone interacting in this broad terrain. Your team may stay up to date on threat intel and groundbreaking news on breaches, but a facilitator provides a comprehensive point of view that you can’t get anywhere else.

Objectivity is key. By removing yourself from the exercise planning process, you’ll have an unbiased and non-skewed view of your response effectiveness and effectiveness of the plan itself. A facilitated exercise provides the confirmation you’re after, while a self-conducted tabletop may build further doubts and result in undue concerns.

8. You will receive documented observations with recommendations.

Walk away from your tabletop exercise with action items and real improvement to your Incident Response Plan. The facilitator will provide observations and recommendations to improve your security incident response and even your security posture. Through a keen observation and note taking, your facilitator can identify areas of improvement and recommend next steps.

9. You can focus your work-time and energy on your daily issues and responsibilities.

Last but not least, you can dedicate your work-time to those daily issues and responsibilities. You can use your time to further improve your security posture rather than becoming buried in brainstorming or administrative activities. Let the expert take the exercise off your already-very full plate.